IT Security News Blast 9-7-2017

The SEC’s chairman says regulators need to do more to educate retail investors on the risks created by cyber crime, Reuters reports. […] “I am not comfortable that the American investing public understands the substantial risks that we face systemically from cyber issues,” Clayton was quoted saying Tuesday during a panel discussion at New York University. “I’d like to see better disclosure around that.”

Crime-as-a-service is when a professional criminal or group of criminals develop advanced tools, “kits” and other packaged services which are then offered up for sale or rent to other criminals who are usually less experienced. This is having a powerful effect on the world of crime — and cybercrime in particular — because it lowers the bar for inexperienced actors to launch sophisticated cyber attacks and scams. In 2017, Europol released a new study that flagged CaaS as a major facilitator of serious online crimes, as well as traditional crimes like illegal weapons sales.

Hackers lie in wait after penetrating US and Europe power grid networks

Nation-sponsored hackers have penetrated the operational networks multiple US and European energy companies use to control key parts of the power grid that supplies electricity to hundreds of millions of people, researchers warned Wednesday. The incursions detected by security firm Symantec represent a dramatic escalation by a hacking group dubbed Dragonfly, which has been waging attacks against US and European energy companies since at least 2011. In 2014, Symantec reported that Dragonfly was aggressively establishing beachheads in a limited number of target networks, mainly by stealing the user names and passwords used to restrict access to legitimate personnel.

Intrusion – but no attack – on U.S. energy grid is a warning, says former NSA official

The aim is to make clear to the United States that its systems are vulnerable and thus make the president think twice before engaging in any kind of military action, with the looming threat of darkened cities a possibility, he said. “I think preparation for a potential attack is what we’re seeing. And whoever’s doing this, presumably the Russians, want us to know. People in the intelligence business always say that when the Russians are found, it’s because they want to be found.”

For a wind farm or power plant owner, the answer includes safeguarding networks and control systems to eliminate unexpected outages and unplanned downtime. “This comes down to mitigating risks and delivering on a promise of productivity — which means ensuring a utility or plant owner can fully live up to the obligations of what they’ve bid for electricity,” he says. “But when we look at power and utility customers, over 60% of the leaders tell us that their security strategy is not aligned to today’s environment risk.”

Legacy devices are the biggest cybersecurity challenge right now, not the devices that are new to the market according to Yarmela Pavlovic, who is a partner in the FDA Medical Device practice at Hogan Lovells. […] Devices that weren’t intended to be network-connected are sometimes being “jerry-rigged with WiFi connectors or other network connections,” she added. For example, older devices might have USB ports there were meant for uploading software, but might also be used to connect the device to a hospital network.

The most recent lawsuit – filed in Los Angeles Superior Court – claims that Aetna’s “utter failure to protect and safeguard” protected healthcare information (PHI) violated both state and federal law. The 22-page putative class action complaint was brought on behalf of an unidentified Los Angeles resident, referred to only as “S.A.” in the complaint, together with other California policyholders whose PHI was allegedly exposed in the incident.

Weighing in on the FBI’s use of malware to identify and arrest users of the dark web child pornography site Playpen, a Texas federal judge last week ruled in favor of the U.S. Department of Justice, rejecting a motion to suppress evidence obtained in the course of the investigation. […] Western Texas U.S. District Court Judge Xavier Rodriguez ruled that the warrant the FBI obtained from a local magistrate judge to implant the NIT was not too broad in its scope to violate the Fourth Amendment’s particularity requirement.

And from Oct. 1, users posting comments on web platforms or other internet forums will have to use their real identities. Forbidden content includes damaging the nation’s honor, endangering national security, spreading rumors and disrupting social order. The list encompasses just about anything the authorities decide they don’t like. China’s cyber-regulator has banned any VPNs it has not approved, leading to shutdowns across the country. Apple has removed VPNs from its China app store, in a move that Amnesty International described as a “deplorable decision.”

The Canadian government will require that companies operating in the country report all data breaches to their customers and a privacy watchdog as soon as possible after discovery, a rule that security experts said was long overdue. “Once in place, the regulations will reduce harm to individuals arising from breaches, and encourage stronger information security practices,” the office of Innovation Minister Navdeep Bains said in a statement on Wednesday.

The draft includes special provisions around “illegal cyber information” that “incites any mass gatherings that disturb security and order, and anti-government activities in cyberspace.” The law also sets new standards for “critical systems,” stipulating that operators of such systems must store system data on Vietnamese soil, but it does not offer a clear definition of “critical systems”. Assuming it goes into effect, the Law on Cybersecurity will increase the government’s ability to control independent voices online, which are already heavily scrutinized and regularly silenced under Vietnam’s Penal Code.

Crime-as-a-Service infrastructure and autonomous attack tools enable adversaries to easily operate on a global scale. Threats like WannaCry were remarkable for how fast they spread and for their ability to target a wide range of industries. Yet, they could have been largely prevented if more organizations practiced consistent cyber hygiene. Unfortunately, adversaries are still seeing a lot of success in using hot exploits for their attacks that have not been patched or updated. To complicate matters more, once a particular threat is automated, attackers are no longer limited to targeting specific industries, therefore, their impact and leverage only increases over time.

We believe the value of data to firms is rising, as is the threat of its compromise. As long as malicious innovation outpaces benevolent, the cybercrime wave will endure, putting upward pressure on budgets for data defense. […] The new security paradigm should mirror the cloud compute paradigm in that it is: 1) on-demand; 2) borderless; 3) without hardware; 4) dynamically priced; and 5) scalable. An appliance-based approach fails on each account, thus we expect spend to be redistributed to other controls and cloud-first innovators.

The global cyber security market to grow at a CAGR of 12.88% during the period 2017-2021. […] According to the report, one of the major drivers for this market is Increase in use of mobile devices. With the increasing adoption of mobile devices, such as mobile phones, laptops, and tablets, the need for cyber security solutions is increasing. […] The latest trend gaining momentum in the market is Adoption of IoT. IoT is an interconnection between devices, and allows the exchange of large volumes of data stored in the cloud.

The banishment was previously floated as a way of “countering Russian aggression,” and follows years of Kaspersky-bashing inside Congress and outside. Amid the Senate advisory committee’s deliberations, Eugene Kaspersky offered up the source code of his software for review – an offer no one in the US government has taken up. Earlier, in May, five US spy bosses and the acting FBI chief were unanimous in saying they would not use Kaspersky software – although, like Senator Shaheen, they offered no evidence as to why. The following month the FBI raided the homes of some Kaspersky employees, but no arrests were made.

“An attacker has to have root capabilities over a phone to exploit one of these six vulnerabilities,” said Nilo Redini, one of the nine computer scientists who coauthored the report (PDF). “One might say, ‘Well if they have root access, that’s already game over. Why even bother?’”

Once a user visited the compromised site, it comes up with a popup message stating that the website is only viewable in “Hoefler Text” font which can be installed by clicking the “update” tab. As shown in the screenshot below the pop-up states: “The HoeflerText font wasn’t found. The webpage you are trying to load is displayed incorrectly, as it uses the “Hoefler Text” font. To fix the error and display the text, you have to update the “Chome Font Pack.”

SynAck differs from other ransomware types by demanding its victims contact them directly through email or a BitMessage ID in order to arrange for the ransom payment, usually about $2,100 in bitcoin, instead of setting up a payment portal, reported Bleeping Computer. Additionally, the malware attaches its own randomly generated 10-character alphanumeric extension to the encrypted files. Attacks are conducted using remote desktop protocol brute-force attacks to access remote computers and then the operators manually download and install the ransomware. Bleeping Computer said victims were using Windows Server and enterprise workstations.

Malware Author Uses Same Skype ID to Run IoT Botnet and Apply for Jobs

The researcher says DaddyL33t’s botnet retrieves binary files used during the infection process from the DaddyHackingTeam portal. Anubhav, who had a private Skype conversation with the malware dev, says DaddyL33t confessed that his botnet only managed to infect around 300 devices, a very small number when compared to other IoT botnets. […] A reason for this might be that DaddyL33t is just a 13-year-old, something that he confirmed in his private conversations with Anubhav. His lack of experience in developing malware and operation security (OpSec) is evident as Anubhav says he found job applications on a freelancing portal where DaddyL33t used the same Skype ID that he previously used to advertise his botnet.

Initially, the boy tried selling the malware on Twitter but since the social networking site doesn’t provide money transfer option, the 13-year-old sold malicious software on Mercari, a mobile marketplace, The Japan News reported. According to Nara Prefectural Police’s cyber crime unit, the teen admitted selling the malware to four other kids between the age of 14 and 19 because he needed money. The teen shared a website link with the four which hosted the malware designed for targeting several devices including iPhone.

Want more cybersecurity information?

We may also occasionally send you information about Critical Informatics products and solutions; you can unsubscribe at anytime if desired.Leave this field empty if you're human:

About Critical Informatics

We are world-class information security professionals providing Managed Detection and Response services to help you be secure, compliant, and resilient against threats to the life safety, life-sustaining, and quality-of-life systems and services you provide to clients, customers, constituents, and communities.